Class: Mongo::Crypt::Handle Private

Inherits:

Object

• Object
• Mongo::Crypt::Handle

Defined in:

lib/mongo/crypt/handle.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

A handle to the libmongocrypt library that wraps a mongocrypt_t object, allowing clients to set options on that object or perform operations such as encryption and decryption

Instance Attribute Summary

• #kms_providers ⇒ Crypt::KMS::Credentials readonly private

  Credentials for KMS providers.

Instance Method Summary

• #crypt_shared_lib_available? ⇒ Boolean private
• #crypt_shared_lib_version ⇒ Object private
• #initialize(kms_providers, kms_tls_options, options = {}) ⇒ Handle constructor private

  Creates a new Handle object and initializes it with options.

• #kms_tls_options(provider) ⇒ Hash private

  Return TLS options for KMS provider.

• #ref ⇒ FFI::Pointer private

  Return the reference to the underlying @mongocrypt object.

Constructor Details

#initialize(kms_providers, kms_tls_options, options = {}) ⇒ Handle

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Creates a new Handle object and initializes it with options

Parameters:

• kms_providers (Crypt::KMS::Credentials) —

  Credentials for KMS providers.

• kms_tls_options (Hash) —

  TLS options to connect to KMS providers. Keys of the hash should be KSM provider names; values should be hashes of TLS connection options. The options are equivalent to TLS connection options of Mongo::Client.

• options (Hash) (defaults to: {}) —

  A hash of options.

Options Hash (options):

• :schema_map (Hash | nil) —

  A hash representing the JSON schema of the collection that stores auto encrypted documents. This option is mutually exclusive with :schema_map_path.

• :schema_map_path (String | nil) —

  A path to a file contains the JSON schema of the collection that stores auto encrypted documents. This option is mutually exclusive with :schema_map.

• :encrypted_fields_map (Hash | nil) —

  maps a collection namespace to an encryptedFields.

  • Note: If a collection is present on both the encryptedFieldsMap and schemaMap, an error will be raised.

• :bypass_query_analysis (Boolean | nil) —

  When true disables automatic analysis of outgoing commands.

• :crypt_shared_lib_path (String | nil) —

  Path that should be the used to load the crypt shared library. Providing this option overrides default crypt shared library load paths for libmongocrypt.

• :crypt_shared_lib_required (Boolean | nil) —

  Whether crypt_shared library is required. If ‘true’, an error will be raised if a crypt_shared library cannot be loaded by libmongocrypt.

• :explicit_encryption_only (Boolean | nil) —

  Whether this handle is going to be used only for explicit encryption. If true, libmongocrypt is instructed not to load crypt shared library.

• :disable_crypt_shared_lib_search (Boolean | nil) —

  When true, suppresses the automatic “$SYSTEM” search for crypt_shared. Use this when a previous Handle in the same process has already loaded the library via a path override and you want to avoid the conflicting-load error that libmongocrypt raises on a subsequent “$SYSTEM” search.

• :logger (Logger) —

  A Logger object to which libmongocrypt logs will be sent

Raises:

• (Mongo::Error::CryptError)

# File 'lib/mongo/crypt/handle.rb', line 69

def initialize(kms_providers, kms_tls_options, options = {})
  # FFI::AutoPointer uses a custom release strategy to automatically free
  # the pointer once this object goes out of scope
  @mongocrypt = FFI::AutoPointer.new(
    Binding.mongocrypt_new,
    Binding.method(:mongocrypt_destroy)
  )
  Binding.kms_ctx_setopt_retry_kms(self, true)
  @kms_providers = kms_providers
  @kms_tls_options = kms_tls_options

  maybe_set_schema_map(options)

  @encrypted_fields_map = options[:encrypted_fields_map]
  set_encrypted_fields_map if @encrypted_fields_map

  @bypass_query_analysis = options[:bypass_query_analysis]
  set_bypass_query_analysis if @bypass_query_analysis

  @crypt_shared_lib_path = options[:crypt_shared_lib_path]
  @explicit_encryption_only = options[:explicit_encryption_only]
  @disable_crypt_shared_lib_search = options[:disable_crypt_shared_lib_search]
  if @crypt_shared_lib_path
    Binding.setopt_set_crypt_shared_lib_path_override(self, @crypt_shared_lib_path)
  elsif !@bypass_query_analysis && !@explicit_encryption_only && !@disable_crypt_shared_lib_search
    Binding.setopt_append_crypt_shared_lib_search_path(self, '$SYSTEM')
  end

  @logger = options[:logger]
  set_logger_callback if @logger

  set_crypto_hooks

  Binding.setopt_kms_providers(self, @kms_providers.to_document)

  if @kms_providers.aws&.empty? || @kms_providers.gcp&.empty? || @kms_providers.azure&.empty?
    Binding.setopt_use_need_kms_credentials_state(self)
  end

  initialize_mongocrypt

  @crypt_shared_lib_required = !!options[:crypt_shared_lib_required]
  return unless @crypt_shared_lib_required && crypt_shared_lib_version == 0

  raise Mongo::Error::CryptError.new(
    'Crypt shared library is required, but cannot be loaded  according to libmongocrypt'
  )
end

Instance Attribute Details

#kms_providers ⇒ Crypt::KMS::Credentials (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Credentials for KMS providers.

Returns:

• (Crypt::KMS::Credentials) —

  Credentials for KMS providers.

# File 'lib/mongo/crypt/handle.rb', line 29

def kms_providers
  @kms_providers
end

Instance Method Details

#crypt_shared_lib_available? ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

• (Boolean)

# File 'lib/mongo/crypt/handle.rb', line 139

def crypt_shared_lib_available?
  crypt_shared_lib_version != 0
end

#crypt_shared_lib_version ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/mongo/crypt/handle.rb', line 135

def crypt_shared_lib_version
  Binding.crypt_shared_lib_version(self)
end

#kms_tls_options(provider) ⇒ Hash

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Return TLS options for KMS provider. If there are no TLS options set, empty hash is returned.

Parameters:

• provider (String) —

  KSM provider name.

Returns:

• (Hash) —

  TLS options to connect to KMS provider.

# File 'lib/mongo/crypt/handle.rb', line 131

def kms_tls_options(provider)
  @kms_tls_options.fetch(provider, {})
end

#ref ⇒ FFI::Pointer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Return the reference to the underlying @mongocrypt object

Returns:

• (FFI::Pointer)

# File 'lib/mongo/crypt/handle.rb', line 121

def ref
  @mongocrypt
end